rtb-credentials 0.5.4

Rust Tool Base — OS keychain credential storage.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185

//! The [`Resolver`] — walks a [`CredentialRef`] through the
//! precedence chain defined by the framework spec.

use std::sync::Arc;

use secrecy::SecretString;

use crate::error::CredentialError;
use crate::reference::CredentialRef;
use crate::store::{CredentialStore, KeyringStore};

/// Walks a [`CredentialRef`] through its resolution chain, returning
/// the first successful hit. The chain order is deliberately fixed:
///
/// 1. `env` — read `std::env::var(cref.env)`.
/// 2. `keychain` — ask the injected [`CredentialStore`].
/// 3. `literal` — use the embedded value. Refused when
///    `std::env::var("CI").as_deref() == Ok("true")`.
/// 4. `fallback_env` — read the ecosystem-default env var.
///
/// If every step misses, returns [`CredentialError::NotFound`].
pub struct Resolver {
    keychain: Arc<dyn CredentialStore>,
}

/// Which precedence layer would resolve a [`CredentialRef`].
/// Returned by [`Resolver::probe`] — see that method for the
/// resolution chain.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
#[non_exhaustive]
pub enum ResolutionSource {
    /// Resolved via `cref.env` — a tool-specific env var set by the
    /// operator.
    Env,
    /// Resolved via `cref.keychain` — a value stored in the OS
    /// keychain.
    Keychain,
    /// Resolved via `cref.literal` — the secret embedded in config.
    /// Only reachable when not running under `CI=true`.
    Literal,
    /// Resolved via `cref.fallback_env` — an ecosystem-default env
    /// var (`ANTHROPIC_API_KEY`, `GITHUB_TOKEN`, …).
    FallbackEnv,
}

/// Outcome of [`Resolver::probe`].
///
/// Distinct from `Result<ResolutionSource, CredentialError>` so the
/// "would have resolved literally but CI mode refuses" case has its
/// own variant — operators reading `credentials list` need to see
/// that distinction explicitly.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
#[non_exhaustive]
pub enum ResolutionOutcome {
    /// The credential resolves cleanly via the given source.
    Resolved(ResolutionSource),
    /// Only the literal layer is configured and `CI=true` is set, so
    /// the resolver would refuse the resolution at runtime.
    LiteralRefusedInCi,
    /// No layer resolves — equivalent to
    /// [`CredentialError::NotFound`] from [`Resolver::resolve`].
    Missing,
}

impl Resolver {
    /// Construct with an injected keychain-backed [`CredentialStore`].
    /// Tests typically pass a [`crate::MemoryStore`] here.
    #[must_use]
    pub fn new(keychain: Arc<dyn CredentialStore>) -> Self {
        Self { keychain }
    }

    /// Convenience: build a [`Resolver`] over [`KeyringStore::new()`]
    /// — the platform-native default. Equivalent to
    /// `Resolver::new(Arc::new(KeyringStore::new()))`.
    #[must_use]
    pub fn with_platform_default() -> Self {
        Self::new(Arc::new(KeyringStore::new()))
    }

    /// Walk the chain and return the resolution source without
    /// returning the secret value. Used by `rtb-cli`'s v0.4
    /// `credentials list / doctor` subcommands to report which
    /// precedence layer would supply each credential.
    ///
    /// Returns:
    ///
    /// - [`ResolutionOutcome::Resolved`] with the [`ResolutionSource`]
    ///   that hit, **if** the underlying value was readable.
    /// - [`ResolutionOutcome::LiteralRefusedInCi`] when only the
    ///   literal layer is configured and `CI=true` is set.
    /// - [`ResolutionOutcome::Missing`] when nothing resolves.
    ///
    /// Does the same I/O as [`Self::resolve`] (including a keychain
    /// fetch when configured); the secret value is read and dropped
    /// rather than returned. Operators can run `credentials list`
    /// without their console scrolling secrets — at the cost of one
    /// keychain round-trip per ref.
    pub async fn probe(&self, cref: &CredentialRef) -> Result<ResolutionOutcome, CredentialError> {
        if let Some(name) = cref.env.as_deref() {
            if std::env::var(name).is_ok() {
                return Ok(ResolutionOutcome::Resolved(ResolutionSource::Env));
            }
        }
        if let Some(keyref) = cref.keychain.as_ref() {
            match self.keychain.get(&keyref.service, &keyref.account).await {
                Ok(_) => return Ok(ResolutionOutcome::Resolved(ResolutionSource::Keychain)),
                Err(CredentialError::NotFound { .. }) => { /* fall through */ }
                Err(other) => return Err(other),
            }
        }
        if cref.literal.is_some() {
            if is_ci() {
                return Ok(ResolutionOutcome::LiteralRefusedInCi);
            }
            return Ok(ResolutionOutcome::Resolved(ResolutionSource::Literal));
        }
        if let Some(name) = cref.fallback_env.as_deref() {
            if std::env::var(name).is_ok() {
                return Ok(ResolutionOutcome::Resolved(ResolutionSource::FallbackEnv));
            }
        }
        Ok(ResolutionOutcome::Missing)
    }

    /// Walk the chain and return the first hit.
    pub async fn resolve(&self, cref: &CredentialRef) -> Result<SecretString, CredentialError> {
        // 1. Env var via the ref's explicit `env` field.
        if let Some(name) = cref.env.as_deref() {
            if let Ok(val) = std::env::var(name) {
                return Ok(SecretString::from(val));
            }
        }

        // 2. Keychain.
        if let Some(keyref) = cref.keychain.as_ref() {
            match self.keychain.get(&keyref.service, &keyref.account).await {
                Ok(secret) => return Ok(secret),
                Err(CredentialError::NotFound { .. }) => { /* fall through */ }
                Err(other) => return Err(other),
            }
        }

        // 3. Literal in config — refused under CI.
        if let Some(literal) = cref.literal.as_ref() {
            if is_ci() {
                return Err(CredentialError::LiteralRefusedInCi);
            }
            // `SecretString::clone` keeps the value inside a
            // zeroize-on-drop container for the whole copy. Going via
            // `expose_secret().to_string()` would leave a plain
            // `String` on the stack that isn't wiped on drop.
            return Ok(literal.clone());
        }

        // 4. Ecosystem-default env var fallback.
        if let Some(name) = cref.fallback_env.as_deref() {
            if let Ok(val) = std::env::var(name) {
                return Ok(SecretString::from(val));
            }
        }

        Err(CredentialError::NotFound { name: diagnostic_name(cref) })
    }
}

impl Default for Resolver {
    /// Same as [`Resolver::with_platform_default`].
    fn default() -> Self {
        Self::with_platform_default()
    }
}

fn is_ci() -> bool {
    std::env::var("CI").as_deref() == Ok("true")
}

fn diagnostic_name(cref: &CredentialRef) -> String {
    cref.fallback_env
        .as_deref()
        .map(String::from)
        .or_else(|| cref.env.as_deref().map(String::from))
        .or_else(|| cref.keychain.as_ref().map(|k| format!("{}/{}", k.service, k.account)))
        .unwrap_or_else(|| "<unnamed credential>".to_string())
}